Blog > A Guide On PCI DSS Compliance
Posted By Create
There’s a lot to know when you run an ecommerce store; a variety of legislations to adhere to and, if you want to accept card payments through your store then you must also be PCI DSS compliant. Confused by it all? Read on to find out what being PCI DSS compliant means and how it may affect your business.
What does PCI DSS Stand For?
PCI DSS (Payment Card Industry Data Security Standard) Compliance is a set of requirements designed to ensure that all companies that process, store or transmit card information maintain a secure environment to do so. It is a subject many people are unsure on, and is something we are often asked about here at Create.
These requirements cause confusion largely due to people not understanding what it specifically means for their business. So we’ve teamed up with Barclaycard's PCI DSS expert, Michael Christodoulides, to ask him a few of our most frequently asked questions, to help you understand the basics of this tricky subject and we’ll clarify what this means for your ecommerce store.
What does PCI DSS Compliance mean?
PCI DSS Compliance means that the controls described within the regulations have been applied. These are set out to protect cardholder account data - this is the data used by consumers/businesses to purchase goods or services via card payment.
See the HelpCentre guide "Understanding PCI DSS And How To Comply" for more information.
Who does this affect?
All merchants that store, process, transmit or can impact the security of cardholder account data must implement and maintain the controls described within the PCI DSS. Everyone must assert their compliance with the PCI DSS using industry accepted documentation.
How do I know what documentation to submit?
As a merchant, you will first be profiled and then presented with an appropriate set of questions. If you outsource cardholder data activities then the number of questions are significantly fewer. Click to read all about how to be compliant with PCI DSS from the Standards Council.
My website is with Create, how does this affect me?
If you are accepting card payments through a Create site then the company who process your payments, for example Barclaycard, will be responsible for ensuring all transactions are being conducted securely. You will however still be required to assert your business’ compliance with the PCI DSS. You will likely complete one of the the Self-Assessment Questionnaires - see the PCI DSS Self-Assessment PDF for more information.
As a consumer, how do you know a site is PCI DSS compliant?
The truth is that at a specific point in time we do not know if a website, or more accurately the company that runs the website, is compliant with the PCI DSS.
If a data security breach was to be reported, there would be an investigation to determine whether PCI DSS compliant controls were in place at the time of the breach. If you are concerned, there are techniques that can be used to evaluate whether a website is compliant, here are some suggestions:
- Ask the website owner for their current Report on Compliance and Attestation of Compliance. Both of these documents are industry accepted formats
- Check the lists published by the Card Schemes. Visa Europe operate a Merchant Agent List and Mastercard Worldwide operate a Service Provider list
- Make enquiries with the Payment Card Acquirer as to whether they have information on certain websites
All companies who run ecommerce stores need to be PCI DSS compliant. However some will be eligible for a lower level of compliance than others depending on the information stored within their website. As all card information is held by a third party provider within Create websites, the level of compliance for your website will be low.
We would always recommend seeking professional advice when it comes to legislation and legal requirements for your business. There are also many useful resources online that will help inform you about PCI DSS compliance - here are our top four:
We'd like to thank Michael from Barclaycard for answering these questions, with his help we are able to better understand PCI DSS Compliance.
If you have any further questions please leave a comment on the post or contact your Account Manager at any time, we are always happy to help.